Hello!
I've been trying to get OpenAFS 1.4.2 to work with Microsoft Active Directory
(AD) 2003 as KDC for some week now, and I starting to believe I should have
went on that early vaccation after all. I just can't get it to work. It ends at:
19270407 = security object was passed a bad ticket
I have a lab environment consisting of an AD (lab.scania.com) and one AFS
server/cell. (cellname: sss.se.scania.com, servername: vmware01.scania.com)
I have verified that the OpenAFS works by setting up a MIT kerberos 5 server in
parallell (separate server) and successfully authenticatded and can access
read,write files in my AFS directory. But swapping to the AD gives no luck
whatsoever:
This is what it ends up to.
(On AD side)
C:\>ktpass -out afs-keytab-des-cbc-md5 -princ afs/[EMAIL PROTECTED] -mapuser
afs -crypto DES-CBC-MD5 -pass *
Targeting domain controller: SeSoCoLab11.scania.se
Successfully mapped afs/sss.se.scania.com to afs.
Type the password for afs/sss.se.scania.com:
Type the password again to confirm:
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to afs-keytab-des-cbc-md5:
Keytab version: 0x502
keysize 63 afs/[EMAIL PROTECTED] ptype 0 (KRB5_NT_UNKNOWN) vno 7
etype 0x3 (DES-CBC-MD5) keylength 8 (0xd0d352801964ad19)
(I email this file to my RedHat ES4 linux server, vmware01, that also hold the
AFS-server)
I now add the key:
[EMAIL PROTECTED] ~]# asetkey add 7 afs-keytab-des-cbc-md5 afs/sss.se.scania.com
[EMAIL PROTECTED] ~]# asetkey list
kvno 0: key is: e9d6f2e068d97386
kvno 7: key is: d0d352801964ad19
------- I now clean up any old tickets/tokens:
[EMAIL PROTECTED] ~]# unlog
[EMAIL PROTECTED] ~]# kdestroy
------- I get my ticket - using my AD password:
[EMAIL PROTECTED] ~]# kinit -V sssler
Password for [EMAIL PROTECTED]:
Authenticated to Kerberos v5
[EMAIL PROTECTED] ~]# klist -e -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
01/03/07 12:12:21 01/03/07 22:12:11 krbtgt/[EMAIL PROTECTED]
renew until 01/04/07 12:12:21, Etype (skey, tkt): DES cbc mode with
CRC-32, ArcFour with HMAC/md5
------- I successfully aklog
[EMAIL PROTECTED] ~]# aklog -d
Authenticating to cell sss.se.scania.com (server vmware01.sss.se.scania.com).
We've deduced that we need to authenticate to realm LAB.SCANIA.COM.
Getting tickets: afs/[EMAIL PROTECTED]
Using Kerberos V5 ticket natively
About to resolve name sssler to id in cell sss.se.scania.com.
Id 4067
Set username to AFS ID 4067
Setting tokens. AFS ID 4067 / @ LAB.SCANIA.COM
[EMAIL PROTECTED] ~]# tokens
Tokens held by the Cache Manager:
User's (AFS ID 4067) tokens for [EMAIL PROTECTED] [Expires Jan 3 22:30]
--End of list--
[EMAIL PROTECTED] ~]# klist -e -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
01/03/07 12:30:37 01/03/07 22:30:34 krbtgt/[EMAIL PROTECTED]
renew until 01/04/07 12:30:37, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
01/03/07 12:30:36 01/03/07 22:30:34 afs/[EMAIL PROTECTED]
renew until 01/04/07 12:30:37, Etype (skey, tkt): DES cbc mode with
CRC-32, DES cbc mode with RSA-MD5
--- from here I think I should be able to touch a file in my home directory,
which I can do if I use MIT kerberos), but it fails with permission denied.
$ touch /afs/sss.se.scania.com/home/sssler
touch: cannot touch `/afs/sss.se.scania.com/home/sssler/foobar': Permission
denied
$ tail /var/log/messages
...
Jan 3 10:59:49 vmware01 kernel: afs: Tokens for user of AFS id 4067 for cell
sss.se.scania.com are discarded (rxkad error=19270407)
Basically, this is what I have done on the AD side:
* Created the user "afs" (afs/sss.se.scania.com) and set the options in the
"Account" tab:
[Account is sensitive and cannot be delegated]
[use DES encryption types]
[Password never expires]
[Do not require Kerberos preauthentication]
* I have set in the "Delegation" tab
[Trust user for delegation to any Service (Kerberos only)]
This is my /etc/krb5.conf
[libdefaults]
default_realm = LAB.SCANIA.COM
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5
[realms]
LAB.SCANIA.COM = {
kdc = sesoco0206.scania.com
default_domain = scania.com
}
[domain_realm]
.scania.se = LAB.SCANIA.COM
scania.se = LAB.SCANIA.COM
.scania.com = LAB.SCANIA.COM
scania.com = LAB.SCANIA.COM
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
What am I doing wrong as it seems it should be fairly straight forward?
/Erik Lönroth
